Information security is not a theoretical science but rather the art of combining computer technology with human communication and psychology Tweet

Eddie Lee demonstrated at DefCon XX how the RFID credit card data can be stolen and used to run payment transaction by replay attack with regular NFC enabled cell phone (and of course loaded with specially crafted software): "NFCProxy is a new tool (being released at DEF CON 20) that allows you to proxy RFID transactions using Android phones. NFCProxy can record and replay RFID transactions from the perspective of the tag or the PCD (proximity coupling device). NFCProxy is an open source tool/framework that can be used to analyze 13.56?MHz RFID protocols and launch replay (and potentially man in the middle) attacks. You can even use NFCProxy as a virtual wallet by storing previously scanned RFID enabled credit cards and replaying them later at a POS (point of sale) terminal. No fancy equipment needed…just two NFC capable Android phones running ICS (one with a custom rom). Owning RFID enabled credit cards just got easier!" I watched the presentation and it was very impressive. Personally, I don't care because I still do not have any card with RFID chip. However, according to Forbes, there are "100 million contactless credit cards currently in circulation". Pretty good market if someone decides to exploit this vulnerability. One detail is still unclear though: what specific types of card readers and protocols versions are vulnerable? Is it some 10 years old refurbished retired device purchased on eBay that was used in the demo, or it was PCI PTS certified one which is eligible for "secure" deployment at merchants' stores? I sent this question to PCI SSC PTS group. I will try to obtain these details from the author and will keep you posted.